Security Corner

I’m regularly baffled by the incongruous nature of security in this country. We seemingly don’t have a set of standards – or even common sense – when it comes to locking down our valuable data assets and letting others remain accessible.

The event that brought this fully to mind was when I was watching Ocean’s Eleven for the fortieth time. Specifically when the group of thieves is able to get a cart with a person inside into the main vault at the Bellagio hotel and casino.

Yes, it’s fiction, but the similarities in security emphasis astound me when it comes to day-to-day activity.

Here are a list of scenarios that I’d like you to examine. At the end, I’ll tell you which ones actually occurred because security was so lax.

A Facebook page was created and the ‘person’ on the page was followed by news outlets and other fact-aware businesses.

Thieves posed as real estate agents and were able to have unfettered access to homes in upscale towns near Boston at regular times during the week.

A car thief was able to steal an expensive vehicle just by standing around outside a luxury hotel and pretending to be a valet.

People were able to get medical services just by saying they were someone else at the reception desk at a doctor’s office.

Criminals were able to steal the credit card and ATM card data of dozens of people in a busy city just by putting a skimming device on a bank ATM.

Had enough? All of these – except the medical scenario actually occurred at one time or another in the past couple years. In fact, as security becomes more of a focus at the high end, more crimes will happen in situations where technology plays a much smaller role.

Take the valet car attendant, for example. That’s an easy scam. Just get some black sneakers, black jeans and a jacket and you can probably take any car you want from a person pulling up to a hotel.

The Facebook scam has been done hundreds of times and I actually use it as an example in my social media training sessions.

The real estate scam is an oldie but a goodie. Seldom to listing agents require you to show ID when you visit a broker or regular open house. You’re not going to run off with the entire property, so where’s the danger? It lies in figuring out the home security and coming back at a later date to clean out the house.

And skimmers are regularly found on all types of credit card machines all over big cities.

So, what are we to do if we want to remain safe and secure? Pay attention. Don’t allow yourself to get fooled by people, devices or situations. Have your wits about you and maintain good passwords for all your accounts – social and financial.

And most of all be skeptical. Keep your belongings secure, store copies of ids and credit information in a safe deposit box and in a secure online repository. Then ensure anyone you have as an agent for your stuff (home, car, social account, bank account) treats those things with the same care you would.

It only takes getting burnt once to make you wake up and pay attention. Why not do so before something bad happens?

As you’ve probably noticed, we’ve been putting on a regular #ITKESecurity Twitter chat about once a month. The goal of the chat is to answer some of the questions you might have regarding security issues.

This week we hosted a discussion based on Disaster Recovery and it went quite well. The questions – five of them – centered on your plans when disaster strikes and how you plan to recover your information and take control of your facilities in the event of an emergency.

When you read about someone getting pins in their body, you immediately think about a broken bone and the procedure needed to repair it. In the medical field, we’re now hearing about pins in another way…as a security device.

These pins aren’t the titanium ones that go into ankles and hips, they’re they ones that come with credit cards and are secured by the latest chip-and-pin technology. But why is this necessary? Has there been an issue around medical record security?

I ask that tongue-in-cheek, knowing full well that Anthem and other medical insurance and service providers are fully under attack. Our data in hospitals is no safer now than it was at Target or Home Depot. And the time has come for us to take note.

Some facilities are doing just that with the aforementioned technology. They’re making it impossible for you to share your data without a membership card that is as secure as any credit card you own. In fact, I was just in a health center for a minor procedure and it amazed me at how seriously the staff is taking this breach and the issue of info-security.

It makes you feel good when the administrative assistant at the reception desk asks you for your date of birth, full name AND photo id just to let you see the doctor. It’s a bit overkill when they request the same information at other time. For example, to ensure you’re the right person to go through an intrusive and embarrassing procedure like a colonoscopy.

Seriously, who is going to hack a medical record, forge an id and then sneak into a clinic to get a medical scope jammed up their backside. But I digress. The issue of information safety in the medical realm is one we could learn from.

They’ve responded fast, fully and effectively to lock down our data and keep us safe. Perhaps it’s time the credit card companies, places like eBay and services like Uber get their ducks in a row and protect their staff and customer data.

If they don’t work on this fast and properly, I’d certainly be in favor of sending their executives for a few embarrassing medical procedures just to get their attention.

What’s your take? Should all businesses take the strong tact medical and insurance companies have instituted?

Had I come forward a little sooner, these programs would have been a little less entrenched, and those abusing them would have felt a little less familiar with and accustomed to the exercise of those powers. This is something we see in almost every sector of government, not just in the national security space, but it’s very important:

Once you grant the government some new power or authority, it becomes exponentially more difficult to roll it back. Regardless of how little value a program or power has been shown to have (such as the Section 215 dragnet interception of call records in the United States, which the government’s own investigation found never stopped a single imminent terrorist attack despite a decade of operation), once it’s a sunk cost, once dollars and reputations have been invested in it, it’s hard to peel that back.

You’ve heard it before and you’re going to hear it again from me. When it comes to using the internet, TRUST NO ONE. For anyone who may be receiving this data in some way other than reading it with your own eyes, that mantra is written in red, all caps, bold, italicized and underscored text. If you are connected to the internet, you have to assume that everyone and anyone can see everything and anything originating from your computer or other connected device. We write about security all the time. We promulgate all sorts of techniques and tips about how to be more secure on line. Sure, these things may protect you from hackers and common cybercriminals, but they will never protect you from the largest criminal organizations on the planet: NSA, GCHQ and other spy agencies. Your operating system is not secure; your software is not secure; your email is not secure. It’s questionable that any commercial hardware you use is secure.

It’s a sad state of affairs when companies we trust turn out to be engaged in criminal mischief. In 2005, Sony BMG installed rootkits on the computers of anyone who purchased and played certain music CDs. As a result of that betrayal, I and many others boycotted Sony-produced products. Now, yet another huge and trusted company, a supplier of quality computer products that many of us have in our organizations, has screwed the pooch. I didn’t join in the fray on Thursday when it was revealed that computer maker Lenovo has been shipping laptops with preinstalled malware that makes you more vulnerable to hackers — all for the sake of serving you advertisements. I like to step back and breathe a little before I react to such news. Well, I’ve breathed a bit since Thursday, looked it over, and have decided that I’m mad as hell. And, as in my personal boycott against all things Sony, I’ll do my damnedest never to buy anything made by Lenovo again.

At the college where I work I have a mobile computer lab comprising 20 Lenovo ThinkPad Edge notebooks. Lenovo says they didn’t install the malware on this model, but can I really trust them? I don’t think so. I’m thankful that when I initially took delivery of these notebooks, I wiped the Microsoft Windows 8 factory image and installed our own Windows 7 image. It contains no factory-installed software. Nevertheless, we won’t be buying any more of these or anything branded Lenovo despite their completely BS we-didn’t-think-we-were-doing-anything-wrong statement:

In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks. The goal was to improve the shopping experience using their visual discovery techniques.

. . .

To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any desktops, tablets, smartphones or servers; and it is no longer being installed on any Lenovo device. In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are confident in our products, committed to this effort and determined to keep improving the experience for our users around the world.

Be careful to wear high boots and proper protective clothing while you’re “digging in on this issue,” Lenovo, and consider this: Cybercriminals go to jail for doing what you did.

To any other companies looking to “enhance our user experience,” why don’t you just give us bug-free, secure products that do what WE want them to do and stop treating us like lemmings.

Not rubbing it in, but I recently spent a little time where it’s warm. Specifically on the Gulf coast of Florida. That’s not a security topic, but what happened when I was on the island offers a lesson in keeping your eyes open if you want to remain safe.

The town of Sanibel Island, FL is – as the name suggests – an island. They have toll booths that keep track of the people who come over the bridge to vacation or work. And they have staff who are ready to lock down access to the island at a moment’s notice if there’s a crime or similar event in the town. That’s what keeps it pretty safe.

If you plan to rob a bank, steal a bike, take some merchandise, you’d better be prepared to swim your way to your lair. Getting away when the lock down the bridge is akin to be trapped on Alcatraz. But that’s neither here nor there. I wanted to talk to you about nature and how the professional park ranger keeps nature safe.

Seriously. Nature sometimes needs safekeeping from people who want to get too close, feed animals human food, and generally make themselves a nuisance. And on Sanibel Island, FL there is a national park called the JN Ding Darling Wildlife Refuge. AND in that refuge are plenty of examples of nature.

I told you all that back story to share a story and impart a lesson.

Here’s the lesson… If you keep your eyes open, you’re well on your way to keeping your company and facility safe. When your facility is safe, your data is likely safer. Then your entire organization is better off.

Here’s the story… I wanted a photo of an owl. I’ve been chasing owls all over the world (mostly the Northeast and Florida) for about 15 months. I had my chance with the JN Ding Darling Refuge as a backdrop for my photos.

During my mini vacation, I was informed that there was a certain nature trail where an owl liked to hang out.

I promptly made my way to that trail with my camera. Strolling along, I saw a mass of people looking up at an old palm tree that had a few holes in it. In one of those holes was a little screech owl. I waited until the crowd moved along and then steadied my camera to take some photos.

That was fine. I got some good photos, but as all humans are likely to feel…I wanted more. So I moved a bit closer to the owl, remaining on the path, and took some more photos. Then I realized I could get a photo that few other people had by lifting my camera above my head and shooting photos at eye level with the bird.

That’s when it happened. No, I didn’t get pecked or clawed or dive-bombed. I did get a sharp tap on my shoulder from a diminutive park ranger. She came up to me and sternly suggested I not put my camera in the face of the owl.

I looked at her quizzically because I was on the path, the plane where I had my camera held was in line with where I was standing and no closer horizontally to the owl. But from her perspective, the camera was starting to get too close to the bird. She told me so and explained that she was now on the lookout because another visitor had actually tried to put the camera inches away from the owl before he was warned away.

I understood. And it made me aware of how I could use the experience as a lesson. Because the ranger was vigilant and looking out for breaches in the protocol of the park, she was able to keep the animals safe. She was also smart enough to have set a perimeter so she could anticipate issues before they arose.

In my case, I was never going to get right next to the owl. He (or she) was 11-feet off the ground in the tree. I stand about five feet, ten inches tall. The physics don’t work. But when it comes to security and keeping thieves (or breaches) at bay, the approach works fine. Keep danger far enough away and you can ensure complete safety for your facilities and data.

That’s why having systems in place and setting up proven responses is paramount to good security. Think about the owl and photographer next time you’re in a meeting with IT or your CTO. Then come up with ways to keep the bad guys outside your own organization’s perimeter.

You’ll be safer and happier in the long run. Oh, I’m back north now in the cold and the snow. No danger of me bothering that owl anytime soon.

Breaches, breaches, breaches. It’s all part of the the daily news in IT security. It’s a good idea to keep tabs on your accounts, especially your email, to see if you’re relatively safe. I say “relatively” because no one is really safe on the internet anymore. I use two services: PwnedList.com and haveibeenpwned.com to periodically check my email accounts. PwndList allows you to set up all of your email addresses and will send you notifications; haveibeenpwned.com will notify you about one account but requires you to manually check for others unless you make special arrangments.

PwnedList actively protects you by continually monitoring sites that host stolen credentials and other security data. If your data has been compromised we’ll notify you immediately—but that’s not all. You can check your online accounts and know with virtual certainty whether they’ve been compromised at any time.

Once you set up an account with them, you can add as many email addresses as you want. You will only be notified if any of them show up as being compromised.

—

[Troy Hunt, a Microsoft Most Valuable Professional] created Have I been pwned? as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.

To find out if any of your accounts have been pwned, you can visit http://www.haveibeenpwned.com, enter your email address (you can check as many email addresses as you want) and click the “pwned?” button. You’ll get one of two responses as shown below:

The one above shows you’re OK. No need to fret about it. If you get the one below, you had better take action: change your password immediately.

I just couldn’t resist letting my readers see this latest variation on the Nigerian 419 scam. I can’t believe these things are even still going on. Anyway, I got a good laugh out of this and I hope you do, too. You see, I paid “VIRTUALLY all fees and certificate,” but I still have to “SEND THE FEE FOR THE HARD DISK FIRST BEFORE I MAKE YOUR TRANSFER OR YOU BUY THE HARD DISK IN YOUR COUNTRY AND SEND IT TO ME,” before anything happens. But the great part is, “Miss Faith Okeke” will “run away from Nigeria to meet with you.” So, I get a bunch of money and a girlfriend, too boot. Fun stuff. I’m of half a mind to play along and reverse the scam on “her.”

Subject: THE TRUTH ABOUT YOUR FUND IN MY POSSESSION
Dear FRIEND,
I am Miss FAITH OKEKE. a computer scientist with central bank of Nigeria. I
am 26 years old, just started work with C.B.N. I came across your file which was
marked X and your released disk painted RED, I took time to study it and found
out that you have paid VIRTUALLY all fees and certificate but the fund has not
been release to you. The most annoying thing is that they cannot tell you the
truth that on no account will they ever release the fund to you, instead they
let you spend money unnecessarily.
I do not intend to work here all the days of my life, I can release this fund to
you if you can certify me of my security, and how I can run away from this
Nigeria if I do this, because if I don't run away from this country after i made
the transfer, I will be seriously in trouble and my life will be in danger.
Please this is like a Mafia setting in Nigeria, you may not understand it
because you are not a Nigerian.
The only thing I will need to release this fund is a special HARD DISK we call
it HD120 GIG. I will buy two of it, recopy your information, destroy the
previous one, punch the computer to reflect in your bank within 24 banking
hours. I will clean up the tracer and destroy your file, after which I will run
away from Nigeria to meet with you. If you are interested.
SPECIAL INFORMATION:
YOU WILL SEND THE FEE FOR THE HARD DISK FIRST BEFORE I MAKE YOUR TRANSFER OR YOU BUY
THE HARD DISK IN YOUR COUNTRY AND SEND IT TO ME,DON'T CONTACT ME IF YOU CAN NOT SEND
THE HARD DISK FEE FIRST OR THE HARD DISK. AS SOON AS I RECEIVED YOUR EMAIL I WILL LET
YOU KNOW HOW MUCH THE DISK WILL COST YOU.
Do get in touch with me immediately, You should send to me your convenient
tell/fax numbers for easy communications and also re confirm your banking
details, so that there won't be any mistake.
For phone conversation,please call me on +234-8052520211
Regards,
Miss FAITH OKEKE

In the wake of the Anthem breach, which affected approximately 80 million customers, cyber-criminals are launching phishing attacks by faking notifications from the company. They look pretty convincing (see photo) and unfortunately, a lot of gullible people are liable to fall for the ruse.

Anthem Phishing Email (Photo/Anthem)

Cyber-criminals often use alarming news stories to develop phishing campaigns and profit from unwary users who fall for the scheme. In this case, the cro0ks provide a link to a free year of credit monitoring for those who click the link. All that will happen, however, is the victim’s credit card information will be stolen.

Anthem has put up a FAQ page to deal with the breach. On that page, Anthem says, “Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind.” Note that they put no time limit on said monitoring and protection.

The company has also established a toll-free number, 1-877-263-7995, which currently delivers a recording warning of the phishing attempts and also outbound call scams directed at current and former members. The recording warns, “These emails and calls are not from anthem and no notifications have been sent from anthem since the initial notification on Feb. 4, 2015.” The recording further states that all notifications will be sent out in the coming weeks via snail mail.

My standard advice in these situations is always:

NEVER click on any links in emails.

NEVER reply to such emails or communicate in any way with the senders.

NEVER provide any information in any website that has popped open, whether or not you have clicked on a link in an email

NEVER open email attachments

NEVER give any caller who contacts you any personal information. Hang up and call the company directly.

About This Blog

Ken "The Geek" Harthun takes the mystery out of computer security. You’ll find valuable advice, tips, and news on how to keep your PCs, network, and data safe from attack by crackers and cybercriminals.